Audit data is client financial data and trade secrets at once - protected by §43 WPO, §323 HGB and §203 StGB. AI must run locally here.
Leading companies worldwide trust WZ-IT
Working papers and report drafts tie up auditor hours but contain highly confidential client figures.
Financial data is trade secrets - an outflow is doubly critical (§43 WPO + secrets protection).
Recurring research in audit standards (IDW PS) is time-consuming.
Most providers only say „§203 = no cloud“. What matters is the mechanics behind it - and how to fulfil them cleanly by contract and technically.
§203 StGB criminalises the unauthorised disclosure of others' secrets by professionals bound to secrecy - client, patient and party data, trade secrets. „Unauthorised“ means: without consent of the secret-holder and without legal authority. Penalty: up to one year imprisonment or a fine (subs. 1), up to two years for acting for payment (subs. 5). Offence prosecuted on application (§205 StGB), plus professional-law consequences up to withdrawal of the licence.
Inputs to ChatGPT, Copilot & co. are processed on third-party servers (often in the US). This transmission can already be a disclosure within the meaning of §203 StGB - regardless of whether the provider actively uses the data. A DPA under Art. 28 GDPR changes nothing: §203 goes beyond data-protection law and prohibits disclosure to third parties additionally and independently. A DPA is not §203 - both are required.
Since the reform an IT service provider, as a „contributing person“ (§203 (3) s. 2 StGB), may receive access to protected information WITHOUT this being a punishable disclosure - if three conditions are met: (1) necessity for the service, (2) obligation in text form with instruction on the criminal consequences (§126b BGB), (3) careful selection, supervision and immediate termination on breach.
Whoever does NOT oblige the contributing person becomes liable themselves under §203 (4) no. 1 StGB. Not the employee who enters data into a tool bears responsibility - but the professional (firm/practice owner). What is punishable is not the input into a secured system, but the missing contractual safeguard.
With the reform, the contributing person is itself included in liability under §203 (4) s. 2 StGB. As your obliged service provider we are jointly liable - that is not a risk for you, but your safeguard.
If a provider brings in subcontractors (Azure, AWS, Vercel), THESE must also be obliged in text form. With US hyperscalers this is practically not feasible - and the US CLOUD Act applies, enabling access by US authorities; EU residency does not protect against that. On-premise on your hardware has no such chain: the data does not leave your building. Our remote-maintenance access still makes us a contributing person - which is why we commit contractually, for the build and maintenance phase.
Standard part of every build / AI Cube contract - for build and maintenance phase:
Data-protection layer
Text form + criminal instruction (§203/§126b)
short chain / on-prem
This content is general information and not legal or tax advice. The specific obligation of contributing persons under §203 StGB and the respective professional-law requirements must be reviewed by a lawyer/tax advisor on a case-by-case basis.
All local on your hardware - no data outflow.
Sovereign AI is a lifecycle, not a device purchase - and everything stays on your infrastructure.
Workshop, sizing, data classification and §203 contract framework. We understand your stack, professional software and compliance requirements before we recommend.
On-premise build on your hardware, RAG on your documents with access control, integration into your professional software, secrecy obligation + DPA.
Updates, monitoring, model upgrades and RAG maintenance as a service contract - or you operate fully yourself. Handover and knowledge transfer included.
From hardware and inference through RAG and integration to operations and security - no interface ping-pong between advice, build and operations.
Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Leading companies trust WZ-IT
Timo Wevelsiep & Robin Zins
Managing Directors of WZ-IT
